Application Control Best Practices

Note: You will need SSL Inspector installed, enabled, and configured with the root certificate deployed to fully leverage the functionality of Application Control.

Application Control is an often overlooked yet incredibly robust module that is relatively simple to familiarize and configure.There are four tabs in Application Control; status, application, rules and reports. The meat and potatoes of the Application Control settings lie in the Applications and Rules tabs.

Rules Tab:

The rules tab allows you to create custom Application control rules. Application Control Rules provide a very powerful feature that can be used to control application usage. For example, some of the default rules that are implemented but not enabled in Application Control are very powerful and useful. We recommend reviewing these rules and enabling those that will provide benefit.

Default Rules:

Clicking the image above will load it, full-size, in a new window.

Rule ID 100001 - 'Block all TCP port 443 traffic that is not HTTPS' Port 443 is most commonly associated with HTTPS web traffic and because of that it is often overlooked as a possible threat vector. Other traffic can ride on port 443. If you do not have any applications that utilize port 443 for anything other than HTTPS then we recommend enabling this rule.

Rule ID 100003 - 'Block all TCP port 80 traffic that is not HTTP' Just like port 443, port 80 is most commonly associated with web traffic but this time HTTP. If you do not have any applications that require port 80 for anything other than web-based HTTP traffic then we recommend enabling this rule.

Rule ID 100004 - Block all TCP port 22 traffic that is not SSH' SSH is a protocol that provides secure command-line access to remote systems. This is an often utilized protocol and very few (if any) other legitimate applications utilize port 22 for anything other than SSH. If SSH is being utilized on your network we recommend enabling this rule. (If you wish to block all SSH access, we recommend doing so via a Forward Filter Rule.)

Rule ID 100005 - 'Tarpit all traffic classified as "Proxy" applications' Tarpitting is ideal for 'proxy' or 'anonymizer' applications. These applications are designed to circumvent Application Control detection by dynamically changing port numbers and callouts to evade detection. Setting anonymizer or proxy applications to tarpit will often prevent them from functioning on your network if the block option is not effectively blocking this traffic.

Tarpitting - What to do when Applications that are set to block are no longer being blocked:

Clicking the image above will load it, full-size, in a new window.

Tarpitting is the process of purposely delaying or dropping incoming connections. For TCP, this makes it appear to both the client and the server that the other party is receiving the data, but it is not responsive. It silently drops the data. For UDP, it is identical in behavior to block except the connection is kept open so the next packet will be dropped instead of recategorized as a new session. Tarpitting is sometimes a workaround when an Application has changed its signature and is no longer blocking traffic.